Re: [Pacemaker] Building pacemaker without gnutls

Sun, 10 Aug 2014 23:30:08 -0700 

On 11 Aug 2014, at 10:33 am, Ken Gaillot <kjgai...@gleim.com> wrote:

> On 8/10/14 7:24 PM, Andrew Beekhof wrote:
>> On 10 Aug 2014, at 7:10 pm, Oren <theore...@hotmail.com> wrote:
>> 
>>> Hi,
>>> Can you support pacemaker without gnutls as it is not FIPS compliant?
>> 
>> Its not?
>> 
>>> This dependency may be replaced by openssl, with a configure flag to control
>>> this.
>> 
>> We'll certainly consider a patch that did this.
>> I don't know enough about openSSL to create it though.
> 
> FYI this is nontrivial. The FIPS-certified OpenSSL is not the one normally 
> distributed; applications (pacemaker in this case) have to be able to use a 
> special, source-only OpenSSL component as-is, with not the slightest 
> modification to the source or its build process. Woe unto them who need to 
> change a single character:

"screw that" :)


> 
>   "New FIPS 140-2 validations (of any type) are slow (6-12 months is 
> typical), expensive (US$50,000 is probably typical for an uncomplicated 
> validation), and unpredictable (completion dates are not only uncertain when 
> first beginning a validation, but remain so during the process)."
> 
>   https://www.openssl.org/docs/fips/fipsnotes.html
> 
> The payoff is access to U.S. government contracts, if you're into that sort 
> of thing.
> 
> Ironically, the FIPS-certified OpenSSL can be considered less secure than the 
> uncertified version, because due to the nature of certification, bugs and 
> holes get patched much more slowly:
> 
> https://blog.bit9.com/2012/04/23/fips-compliance-may-actually-make-openssl-less-secure/
> 
> -- Ken Gaillot <kjgai...@gleim.com>
>   Gleim NOC
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Reply via email to